The presence of adversarial examples poses a significant threat to deep learning models and their applications. Existing defense methods provide certain resilience against adversarial examples, but often suffer from decreased accuracy and generalization performance, making it challenging to achieve a trade-off between robustness and generalization. To address this, our paper interprets the adversarial example problem from the perspective of sample distribution and proposes a defense method based on distribution shift, leveraging the distribution transfer capability of a diffusion model for adversarial defense. The core idea is to exploit the discrepancy between normal and adversarial sample distributions to achieve adversarial defense using a pretrained diffusion model. Specifically, an adversarial sample undergoes a forward diffusion process, moving away from the source distribution, followed by a reverse process guided by the protected model (victim model) output to map it back to the normal distribution. Experimental evaluations on CIFAR10 and ImageNet30 datasets are conducted, comparing with adversarial training and input preprocessing methods. For infinite-norm attacks with 8/255 perturbation, accuracy rates of 78.1% and 83.5% are achieved, respectively. For 2-norm attacks with 128/255 perturbation, accuracy rates are 74.3% and 82.5%. Additional experiments considering perturbation amplitude, diffusion iterations, and adaptive attacks also validate the effectiveness of the proposed method. Results demonstrate that even when the attacker has knowledge of the defense, the proposed distribution-based method effectively withstands adversarial examples. It fills the gaps of traditional approaches, restoring high-quality original samples and showcasing superior performance in model robustness and generalization.

翻译：对抗样本的存在对深度学习模型及其应用构成了重大威胁。现有防御方法虽能提供一定的抗性，但往往以降低准确率和泛化性能为代价，难以在鲁棒性与泛化性之间取得平衡。为此，本文从样本分布视角重新解读对抗样本问题，提出一种基于分布迁移的防御方法，利用扩散模型的分布迁移能力实现对抗防御。其核心思想在于：利用正常样本与对抗样本的分布差异，借助预训练扩散模型完成对抗防御。具体而言，对抗样本通过前向扩散过程远离原始分布，再经受保护模型（受害者模型）输出引导的反向过程映射回正常分布。在CIFAR10与ImageNet30数据集上开展实验，并与对抗训练及输入预处理方法进行对比。针对扰动幅度为8/255的无穷范数攻击，分别获得78.1%和83.5%的准确率；针对扰动幅度为128/255的2范数攻击，准确率分别为74.3%和82.5%。考虑扰动幅度、扩散迭代次数及自适应攻击的附加实验同样验证了该方法的有效性。结果表明，即便攻击者知晓防御机制，所提基于分布的方法仍能有效抵御对抗样本。该方法弥补了传统方法的不足，可恢复高质量原始样本，在模型鲁棒性与泛化性方面展现出优越性能。